A familiar refrain of some corporate clients discussing data breaches is: “We’re not a health care company. We also don’t process customer credit card transactions. We really don’t collect protected health information or personally identifiable information from customers in any way. Do we need to be worried about data breaches?” A June 15, 2015 decision from the U.S. Central District of California reaffirms that the answer is a resounding, unqualified YES for any company that has employees, which means almost any company of any kind, regardless of whether it provides health-care-related services or processes customer credit card transactions.

Sony also argued as to the negligence claims that the plaintiffs had failed to adequately allege the element of injury, and that the claims were barred by the economic loss doctrine. The court again disagreed, finding sufficient allegations of injury because of public disclosure of PII and PHI on file-sharing websites and that the economic loss doctrine did not bar the claims because a special relationship existed between the employees and Sony that required the plaintiffs to provide their PII and PHI to Sony in exchange for compensation and benefits.

The UCL claims likewise survived because of sufficient allegations of injury in fact, and the court deemed Sony’s attack on the injunctive and declaratory relief claims premature.

As to the other claims, the court dismissed the breach of implied contract claims with prejudice because there were no facts indicating that Sony intended to frustrate the common purpose of the employment agreements (employment in exchange for compensation and benefits). The court also dismissed the California Customer Records Act (Cal. Civ. Code Sec. 1798.80, et seq.) claims with prejudice because the statute was intended to protect customers, not employees, and there were no allegations that Sony had violated the statute as to customers. And the court dismissed, without prejudice, the Virginia and Colorado data breach notification statute (Va. Code Sec. 18.2-186.6(B), Colo. Rev. Stat. Ann. Sec. 6-1-716(2)) claims because the plaintiffs had not alleged any injury arising from the alleged untimely notification.

This decision once again highlights that data breach is a problem that affects virtually any corporation, regardless of the nature of its business, because to receive compensation and benefits, employees generally must share PII and PHI with the corporation (creating obligations for the corporation to protect and respond to any breach of that information). Potential data breach class action adversaries are not just external to the corporation. The claims can also come from insiders.